Usable Human Authentication: A Quantitative Treatment

Abstract

A typical computer user today manages passwords for many different online accounts. Users struggle with this task--often forgetting their passwords or adopting insecure practices, such as using the same passwords for multiple accounts and selecting weak passwords. While there are many books, articles, papers and even comics about selecting strong individual passwords, there is very little work on password management schemes--systematic strategies to help users create and remember multiple passwords. Before we can design good password management schemes it is necessary to address a fundamental question: How can we quantify the usability or security of a password management scheme. One way to quantify the usability of a password management scheme would be to conduct user studies evaluating each user's success at remembering multiple passwords over an extended period of time. However, these user studies would necessarily be slow and expensive and would need to be repeated for each new password management scheme. Our thesis is that user models and security models can guide the development of password management schemes with analyzable usability and security properties. We present several results in support of this thesis. First, we introduce Naturally Rehearsing Password schemes. Notably, our user model, which is based on research on human memory about spaced rehearsal, allows us to analyze the usability of this family of schemes while experimentally validating only the common user model underlying all of them. Second, we introduce Human Computable Password schemes, which leverage human capabilities for simple arithmetic operations. We provide constructions that make modest demands on users and we prove that these constructions provide strong security: an adversary who has seen about 100 10-digit passwords of a user cannot compute any other passwords except with very low probability.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 30, 2014
Accession Number
ADA606747

Entities

People

  • Jeremiah Blocki

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Autonomy
  • C4I
  • Cyber
  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Artificial Intelligence
  • Authentication
  • Cognitive Science
  • Computational Science
  • Computer Programs
  • Computer Science
  • Computers
  • Cryptography
  • Electronic Mail
  • Information Processing
  • Network Science
  • Operating Systems
  • Probability
  • Psychology
  • Random Variables
  • Security Protocols
  • Social Media

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Software Engineering.
  • Systems Analysis and Design

Technology Areas

  • Space